Added tests for IAM policies for bucket operations (#19734)

* Added tests for bucket access policies Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io> * move to correct category of tests Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io> --------- Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>
2024-05-14 21:13:07 +05:30 · 2024-05-14 21:13:07 +05:30 · de4d3dac00
parent 534e7161df
commit de4d3dac00
5 changed files with 131 additions and 0 deletions
--- a/.github/workflows/replication.yaml
+++ b/.github/workflows/replication.yaml
@ -42,6 +42,12 @@ jobs:
          sudo sysctl net.ipv6.conf.default.disable_ipv6=0
          make test-ilm

+      - name: Test PBAC
+        run: |
+          sudo sysctl net.ipv6.conf.all.disable_ipv6=0
+          sudo sysctl net.ipv6.conf.default.disable_ipv6=0
+          make test-pbac
+
      - name: Test Config File
        run: |
          sudo sysctl net.ipv6.conf.all.disable_ipv6=0
--- a/4
+++ b/4
@ -57,6 +57,10 @@ test-ilm: install-race
 	@echo "Running ILM tests"
 	@env bash $(PWD)/docs/bucket/replication/setup_ilm_expiry_replication.sh

+test-pbac: install-race
+	@echo "Running bucket policies tests"
+	@env bash $(PWD)/docs/iam/policies/pbac-tests.sh
+
 test-decom: install-race
 	@echo "Running minio decom tests"
 	@env bash $(PWD)/docs/distributed/decom.sh
--- a/docs/iam/policies/deny-non-sse-kms-objects.json
+++ b/docs/iam/policies/deny-non-sse-kms-objects.json
@ -0,0 +1,17 @@
+{
+   "Version":"2012-10-17",
+   "Id":"PutObjectPolicy",
+   "Statement":[{
+         "Sid":"DenyObjectsThatAreNotSSEKMS",
+         "Effect":"Deny",
+         "Principal":"*",
+         "Action":"s3:PutObject",
+         "Resource":"arn:aws:s3:::multi-key-poc/*",
+         "Condition":{
+            "Null":{
+               "s3:x-amz-server-side-encryption-aws-kms-key-id":"true"
+            }
+         }
+      }
+   ]
+}
--- a/docs/iam/policies/deny-objects-with-invalid-sse-kms-key-id.json
+++ b/docs/iam/policies/deny-objects-with-invalid-sse-kms-key-id.json
@ -0,0 +1,17 @@
+{
+   "Version":"2012-10-17",
+   "Id":"PutObjectPolicy1",
+   "Statement":[{
+         "Sid":"DenyObjectsWithInvalidSSEKMS",
+         "Effect":"Deny",
+         "Principal":"*",
+         "Action":"s3:PutObject",
+         "Resource":"arn:aws:s3:::multi-key-poc/*",
+         "Condition":{
+            "StringNotEquals":{
+               "s3:x-amz-server-side-encryption-aws-kms-key-id":"minio-default-key"
+            }
+         }
+      }
+   ]
+}
--- a/docs/iam/policies/pbac-tests.sh
+++ b/docs/iam/policies/pbac-tests.sh
@ -0,0 +1,87 @@
+#!/bin/bash
+
+if [ -n "$TEST_DEBUG" ]; then
+	set -x
+fi
+
+pkill minio
+pkill kes
+rm -rf /tmp/xl
+
+if [ ! -f ./mc ]; then
+	wget --quiet -O mc https://dl.minio.io/client/mc/release/linux-amd64/mc &&
+		chmod +x mc
+fi
+
+if [ ! -f ./kes ]; then
+	wget --quiet -O kes https://github.com/minio/kes/releases/latest/download/kes-linux-amd64 &&
+		chmod +x kes
+fi
+
+if ! openssl version &>/dev/null; then
+	apt install openssl || sudo apt install opensssl
+fi
+
+# Start KES Server
+(./kes server --dev 2>&1 >kes-server.log) &
+kes_pid=$!
+sleep 5s
+API_KEY=$(grep "API Key" <kes-server.log | awk -F" " '{print $3}')
+(openssl s_client -connect 127.0.0.1:7373 2>/dev/null 1>public.crt)
+
+export CI=true
+export MINIO_KMS_KES_ENDPOINT=https://127.0.0.1:7373
+export MINIO_KMS_KES_API_KEY="${API_KEY}"
+export MINIO_KMS_KES_KEY_NAME=minio-default-key
+export MINIO_KMS_KES_CAPATH=public.crt
+export MC_HOST_myminio="http://minioadmin:minioadmin@localhost:9000/"
+
+(minio server http://localhost:9000/tmp/xl/{1...10}/disk{0...1} 2>&1 >/dev/null) &
+pid=$!
+
+sleep 30s
+
+./mc admin user add myminio/ minio123 minio123
+
+./mc admin policy create myminio/ deny-non-sse-kms-pol ./docs/iam/policies/deny-non-sse-kms-objects.json
+./mc admin policy create myminio/ deny-invalid-sse-kms-pol ./docs/iam/policies/deny-objects-with-invalid-sse-kms-key-id.json
+
+./mc admin policy attach myminio deny-non-sse-kms-pol --user minio123
+./mc admin policy attach myminio deny-invalid-sse-kms-pol --user minio123
+./mc admin policy attach myminio consoleAdmin --user minio123
+
+./mc mb -l myminio/test-bucket
+./mc mb -l myminio/multi-key-poc
+
+export MC_HOST_myminio1="http://minio123:minio123@localhost:9000/"
+
+./mc cp /etc/issue myminio1/test-bucket
+ret=$?
+if [ $ret -ne 0 ]; then
+	echo "BUG: PutObject to bucket: test-bucket should succeed. Failed"
+	exit 1
+fi
+
+./mc cp /etc/issue myminio1/multi-key-poc | grep -q "Insufficient permissions to access this path"
+ret=$?
+if [ $ret -eq 0 ]; then
+	echo "BUG: PutObject to bucket: multi-key-poc without sse-kms should fail. Succedded"
+	exit 1
+fi
+
+./mc cp /etc/hosts myminio1/multi-key-poc/hosts --enc-kms "myminio1/multi-key-poc/hosts=minio-default-key"
+ret=$?
+if [ $ret -ne 0 ]; then
+	echo "BUG: PutObject to bucket: multi-key-poc with valid sse-kms should succeed. Failed"
+	exit 1
+fi
+
+mc cp /etc/issue myminio1/multi-key-poc/issue --enc-kms "myminio1/multi-key-poc/issue=minio-default-key-xxx" | grep "Insufficient permissions to access this path"
+ret=$?
+if [ $ret -eq 0 ]; then
+	echo "BUG: PutObject to bucket: multi-key-poc with invalid sse-kms should fail. Succeeded"
+	exit 1
+fi
+
+kill $pid
+kill $kes_pid